Last Updated: 24/06/2026
GDPR, Security and Customer Data Protection Policy
This policy should be read alongside Perkstar’s Privacy Notice, Terms of Service, Data Processing Agreement and Sub-processor information.
Plain English Summary
Loyalty software handles real customer data.
When a customer joins a loyalty programme, a business often collects information such as names, email addresses, phone numbers, dates of birth, visit history, purchase activity, reward balances, wallet pass activity, marketing preferences and consent records.
That means choosing a loyalty provider is not only a product decision.
It is a data protection decision.
Businesses should also understand whether their provider actually owns and controls the software, or whether customer data is being passed through a hidden white-label platform or third-party processor chain.
Perkstar is built to help businesses run loyalty programmes properly, with GDPR compliance, security, customer consent, data rights, staff access controls, audit records and accountability built into the platform.
Any provider can say they are GDPR compliant.
The real question is whether they can prove it.
Perkstar is designed to give businesses the tools, controls and operating evidence needed to manage customer data responsibly.
1. Purpose
This policy explains how Perkstar protects customer data and supports GDPR-compliant loyalty operations.
Perkstar provides businesses with tools to create and manage digital loyalty cards, wallet passes, rewards, customer communication and customer data workflows.
Because loyalty programmes involve the collection and processing of personal data, Perkstar is built with GDPR compliance, privacy, consent management, security and accountability at the core of the platform.
This policy explains how Perkstar handles customer data and how responsibilities are shared between Perkstar and the businesses using the platform.
2. Scope
This policy applies to personal data processed through the Perkstar platform, including data relating to customers who join loyalty programmes created by businesses using Perkstar.
This includes data collected through:
loyalty card sign-up forms
Apple Wallet and Google Wallet passes
reward and loyalty activity
customer profiles
communication preferences
consent records
customer data request workflows
platform administration tools
enabled integrations
customer imports
reporting and analytics tools
This policy does not replace a business’s own privacy policy, internal data protection policies or legal obligations under applicable data protection laws.
3. Data Controller and Data Processor Roles
For most loyalty programmes, the business using Perkstar is the data controller.
This means the business decides why personal data is collected, what data is collected, how it is used, what lawful basis applies and how long the data is kept.
Perkstar acts as the data processor.
This means Perkstar processes personal data on behalf of the business to provide the loyalty platform and related services.
Perkstar processes customer data to:
create and manage digital loyalty cards
operate wallet passes
record loyalty activity
manage reward balances
support customer communication
maintain consent and preference records
support customer data rights workflows
provide reporting and analytics
maintain security and audit records
provide support and platform administration
support integrations enabled by the business
Businesses using Perkstar remain responsible for ensuring that their own use of customer data complies with applicable data protection laws.
4. Proof, Not Promises
Any software provider can claim to be GDPR compliant.
They can say it on a website.
They can write it in a sales email.
They can add it to a proposal.
They can include it in a pricing table.
The real question is whether they can demonstrate it.
A business should not rely only on a sales page, verbal reassurance or a line in a proposal. When customer data is involved, the provider should be able to show how the platform protects data, records consent, controls staff access, handles customer rights, manages sub-processors and responds to security incidents.
Perkstar is designed to support that level of evidence.
Perkstar maintains practical controls and records covering:
consent and preference management
customer data rights workflows
access controls
role-based permissions
audit logs
staff activity records
retention and anonymisation
vendor and sub-processor review
Data Processing Agreement support
breach response procedures
privacy-focused product design
This helps businesses carry out proper due diligence before trusting a platform with customer data.
Do not just ask a loyalty provider, “Are you GDPR compliant?”
Ask:
“Can you prove how?”
5. Types of Personal Data Processed
The personal data processed through Perkstar depends on how each business configures its loyalty programme.
This includes data such as:
customer name
email address
phone number
date of birth
customer ID
wallet pass identifiers
loyalty card activity
points, stamps or reward balances
purchase or visit activity
membership or pass status
communication preferences
marketing consent records
opt-out records
customer data request records
imported customer data
operational and audit logs
In the UK and EU, this information is generally referred to as personal data. Some businesses also refer to it as PII, or personally identifiable information.
Perkstar encourages businesses to collect only the customer data they need to operate their loyalty programme.
6. Consent and Communication Preferences
Perkstar supports clear consent and communication preference management.
Not all customer communication is the same.
Some communications are transactional or operational, such as wallet pass updates, reward balance updates, card status updates or service-related messages.
Other communications are marketing communications, such as promotional campaigns, offers, win-back messages, SMS marketing, email marketing or promotional push notifications.
Perkstar separates these areas so customer choices are respected.
Perkstar supports separate preferences for:
email marketing
SMS marketing
push marketing
transactional wallet updates
advertising and analytics tracking
general customer communication preferences
A customer joining a loyalty programme does not automatically mean they have agreed to every type of marketing, advertising or tracking activity.
Businesses remain responsible for choosing the correct lawful basis for their communications and ensuring that their privacy notices and marketing practices are compliant.
7. Advertising, Analytics and Tracking Consent
Perkstar supports advertising, analytics and tracking controls where these features are enabled by the business.
These include integrations and events connected to analytics tools, advertising platforms and customer tracking systems.
Perkstar treats advertising and analytics tracking separately from the basic operation of a loyalty card.
Customers are not added to advertising audiences, tracking pixels or remarketing workflows unless the correct lawful basis or consent is in place.
Businesses using these features remain responsible for ensuring that their tracking, analytics and advertising activity complies with applicable privacy, cookie and electronic marketing laws.
8. Imported Customer Data
Where a business imports customer data into Perkstar, the business remains responsible for ensuring that the data was collected lawfully.
This includes customer data imported from:
spreadsheets
previous loyalty providers
POS systems
booking systems
ecommerce platforms
CRM systems
manual customer lists
offline sign-up forms
Before importing data, businesses should confirm they have an appropriate lawful basis and, where required, valid marketing consent.
Perkstar protects and manages the data once it is inside the platform, but importing data into a compliant system does not make unlawfully collected data compliant.
Businesses are responsible for ensuring that imported lists are accurate, lawful and suitable for the intended use.
9. Customer Data Rights
Customers have rights over their personal data under applicable data protection laws.
These include the right to:
access their personal data
request a copy of their personal data
correct inaccurate data
request deletion or anonymisation
restrict certain processing
object to certain processing
withdraw consent where processing is based on consent
Perkstar provides tools and workflows to help businesses manage customer data requests.
The business using Perkstar remains responsible for reviewing and responding to customer requests as the data controller.
Perkstar supports the business in handling these requests where the requested data is processed through the Perkstar platform.
10. Internal Access and Data Leakage
Data protection is not only about stopping external attacks.
Customer data can also be exposed through poor internal controls, excessive staff permissions, unmanaged exports, shared logins, former staff accounts, or support users accessing more data than they need.
Perkstar is designed to reduce this risk by supporting controlled access, role-based permissions, audit records and accountable staff activity.
This helps reduce the risk of:
unnecessary access to customer data
accidental disclosure
internal misuse
unauthorised exports
former staff retaining access
shared staff accounts
staff changing customer records without accountability
admin users accessing more data than required
support access being used without proper control
customer data being viewed, changed or exported without a clear record
Businesses should treat internal access as part of their GDPR risk assessment, especially where staff can view customer profiles, export data, send messages or change customer records.
Staff access should be reviewed regularly and removed as soon as it is no longer required.
Good data protection includes permissions, staff controls, auditability and limiting access to what is necessary.
11. Security Measures
Perkstar maintains technical and organisational measures to protect personal data processed through the platform.
These include:
controlled access to customer data
role-based access controls
audit records for key actions
secure platform administration
data access restrictions
staff permission management
operational monitoring
vendor and sub-processor review
security-focused development practices
incident response procedures
Security is part of data protection.
A personal data breach can involve more than a cyberattack. It can also include accidental disclosure, unauthorised access, incorrect sharing, misconfigured permissions or customer data being exposed to the wrong person.
12. Audit Records and Accountability
Perkstar supports accountability by maintaining records for key privacy, consent, customer activity and administrative actions.
These records help businesses understand:
when a customer joined a loyalty programme
what consent or preferences were recorded
when customer data was updated
when key customer actions took place
which staff users performed certain actions
how customer data requests were handled
what communication preferences were applied
when customer data was exported
when important customer records were changed
Auditability is important because GDPR compliance is not only about having policies.
It is also about being able to demonstrate how data was handled in practice.
13. Data Retention and Anonymisation
Customer data should not be kept indefinitely without a valid reason.
Perkstar supports retention and anonymisation workflows to help businesses manage customer data responsibly.
Retention decisions depend on:
the type of loyalty programme
the business’s legal obligations
the customer’s activity
whether the customer has requested deletion
whether the business account is active or cancelled
whether the data is needed for audit, fraud prevention, legal claims or operational records
Businesses remain responsible for deciding appropriate retention periods for their own customer data.
Where a customer requests deletion or anonymisation, Perkstar supports the business in carrying out that request within the platform, subject to any legal or operational retention requirements.
14. Sub-Processors and Vendors
Perkstar uses trusted third-party vendors and sub-processors to provide parts of the platform and related services.
These include providers for hosting, storage, communications, payments, analytics, wallet pass functionality, support tools and other operational services.
Perkstar reviews vendors and sub-processors involved in the processing of personal data.
Perkstar makes information about relevant sub-processors available to customers.
Businesses should review Perkstar’s Data Processing Agreement and sub-processor information where applicable.
15. White-Label and Reseller Platform Risk
Some loyalty providers do not own or control the software they sell.
They resell or white-label another company’s platform under their own brand. This is not automatically wrong, but it must be transparent.
If a loyalty provider uses another software provider behind the scenes, that underlying provider may also process customer data. This means there may be an additional processor or sub-processor involved in handling personal data.
Businesses should know who is actually processing their customer data.
A provider should be clear about:
whether they own and control the platform
whether the software is white-labelled or resold
who the underlying software provider is
whether that provider is listed as a sub-processor
who has access to customer data
who controls hosting, security and infrastructure
who is responsible for breach notification
who handles deletion, export and retention
how quickly security or compliance issues can be fixed
what happens if the reseller relationship ends
A lack of transparency is a warning sign.
If a provider cannot clearly explain who owns the software, who controls the system, who can access the data and who is legally responsible for processing it, the business is taking on unnecessary risk.
Perkstar does not operate as a hidden white-label reseller. Perkstar is built, operated and controlled as the platform businesses contract with, so we can maintain direct responsibility for the controls, workflows, security measures and compliance evidence described in this policy.
16. Data Processing Agreement
Where Perkstar acts as a data processor, Perkstar provides a Data Processing Agreement to customers.
The Data Processing Agreement explains the processing relationship between the business and Perkstar, including:
the subject matter of processing
the duration of processing
the nature and purpose of processing
the types of personal data processed
the categories of data subjects
the responsibilities of each party
sub-processor arrangements
security obligations
assistance with customer rights requests
breach notification responsibilities
data return, deletion and retention obligations
Businesses should review the Data Processing Agreement before using Perkstar to process customer data.
17. Personal Data Breach Response
Perkstar maintains procedures for identifying, reviewing and responding to potential personal data breaches.
A personal data breach includes:
unauthorised access to customer data
accidental disclosure
loss of data
incorrect sharing of data
misconfigured permissions
unauthorised exports
exposure caused by a vendor or sub-processor
Where Perkstar becomes aware of a personal data breach affecting customer data processed on behalf of a business, Perkstar investigates, responds and takes appropriate remedial action.
Where required, Perkstar notifies affected businesses in accordance with its legal and contractual obligations.
The business, as data controller, is responsible for assessing whether the incident must be reported to a regulator or communicated to affected individuals.
18. ICO Registration and Regulatory Responsibilities
Perkstar is registered with the Information Commissioner’s Office where required and pays the UK data protection fee where applicable.
Businesses using Perkstar are also responsible for assessing whether they need to register with the ICO or pay the data protection fee based on their own processing activities.
Perkstar does not claim to be “approved” by the ICO.
The ICO does not generally approve ordinary SaaS providers. The correct standard is whether a provider maintains appropriate data protection practices, pays the data protection fee where required, has suitable documentation, provides a Data Processing Agreement, and can demonstrate how customer data is handled.
19. Customer Responsibilities
Businesses using Perkstar are responsible for their own compliance with applicable data protection laws.
This includes responsibility for:
deciding what customer data to collect
identifying the lawful basis for processing
providing appropriate privacy notices
obtaining valid consent where required
managing marketing permissions
handling customer complaints
responding to customer data rights requests
deciding retention periods
managing staff access
ensuring imported customer data has been collected lawfully
ensuring campaigns comply with marketing laws
reviewing the Data Processing Agreement
taking legal advice where needed
Perkstar provides tools and workflows to support GDPR-compliant operation, but it does not replace a business’s own legal responsibilities.
20. What Perkstar Does Not Replace
Perkstar provides tools, controls and workflows to support responsible GDPR operation.
Perkstar does not replace:
a business’s own privacy policy
independent legal advice
lawful basis decisions
marketing decisions
internal staff policies
internal data protection training
a business’s own customer communications rules
the business’s responsibility for imported data
the business’s responsibility for how it uses customer data
Businesses remain responsible for what data they collect, what messages they send, what lawful basis they rely on, how their staff use the platform and whether their own practices comply with applicable law.
Perkstar provides compliance-focused infrastructure, controls and workflows to support responsible operation, but software does not remove the business’s own legal responsibilities.
21. Why This Matters
If customer data is mishandled, the consequences can be serious.
A business may face customer complaints, loss of trust, regulatory investigation, enforcement action, legal costs, operational disruption and, in serious cases, financial penalties.
For serious GDPR infringements, penalties can be significant. The risk is not only the size of a possible fine. It is also the damage caused by being unable to prove that customer data was handled properly.
This is why businesses should not choose loyalty software based only on features or price.
They should choose a provider that can show how customer data is protected.
22. Questions To Ask Any Loyalty Provider
Before choosing a loyalty platform, businesses should ask:
Do you provide a Data Processing Agreement?
Can you show your current DPA and sub-processor list?
Are you registered with the ICO where required, or exempt?
Who are your sub-processors?
Where is customer data stored or processed?
How is customer consent recorded?
Can customers withdraw marketing consent?
Is email, SMS, push and tracking consent separated?
How do you prevent staff from accessing data they do not need?
Are staff actions and exports audited?
Can former staff access be removed quickly?
How do you handle customer data access or deletion requests?
How long is customer data retained?
What happens when an account is cancelled?
What is your breach response process?
Can you provide evidence of these controls?
Do you own and control the software platform, or is it white-labelled from another provider?
If it is white-labelled, who is the underlying software provider?
Is the underlying provider listed as a sub-processor?
Who actually has technical access to customer data?
Who is responsible for security fixes, breach response and data deletion?
Can you provide evidence of the controls operated by the underlying platform?
If a provider cannot answer these questions clearly, the business is taking on unnecessary risk.
A serious loyalty provider should be able to show how customer data is protected, not just claim that it is.
23. Evidence and Proof of Compliance
Compliance is more than a statement.
A responsible loyalty provider should be able to explain and demonstrate how it handles customer data.
Perkstar maintains operational evidence relating to:
consent and preference management
customer data rights workflows
access controls
audit records
data retention and anonymisation
vendor and sub-processor review
breach response procedures
processor responsibilities
platform security controls
privacy-focused product design
Businesses should not simply ask whether a provider is GDPR compliant.
They should ask how the provider can prove it.
Perkstar is built to help provide that proof.
24. Policy Review
Perkstar reviews and updates this policy to reflect changes in the platform, legal requirements, operational practices and data protection guidance.
The latest version of this policy applies from the date it is published or otherwise made available.
25. Important Notice
This policy explains Perkstar’s approach to GDPR, security and customer data protection.
Businesses using Perkstar remain responsible for their own data protection compliance, privacy notices, lawful basis decisions, marketing practices and customer data handling.
This policy is general information and is not legal advice. Businesses should take independent legal advice where required.
26. Useful References
Businesses may find the following resources useful:
ICO data protection fee guidance: https://ico.org.uk/for-organisations/data-protection-fee/
ICO data protection audit framework: https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/
ICO enforcement action: https://ico.org.uk/action-weve-taken/enforcement/
GDPR Article 83 penalties: https://gdpr-info.eu/art-83-gdpr/